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1  Introduction 


We  consider  "iterative"  algorithms  for  achieving  approximate  Byzantine  consensus  in  synchronous 
point-to-point  communication  networks  that  are  modeled  by  arbitrary  directed  graphs.  The  iterative 
approximate  Byzantine  consensus  (IABC)  algorithms  of  interest  have  the  following  properties: 

•  Initial  state  of  each  node  is  equal  to  a  real-valued  input  provided  to  that  node. 

•  Validity  condition:  After  each  iteration  of  an  IABC  algorithm,  the  state  of  each  fault-free  node 
must  remain  in  the  convex  hull  of  the  states  of  the  fault-free  nodes  at  the  end  of  the  previous 
iteration.1 

•  Convergence  condition:  For  any  e  >  0,  after  a  sufficiently  large  number  of  iterations,  the  states 
of  the  fault-free  nodes  are  guaranteed  to  be  within  e  of  each  other. 

In  this  paper,  we  are  interested  in  parameter-independent  algorithms  that  do  not  require  explicit 
knowledge  of  the  upper  bound  on  the  number  of  faults  to  be  tolerated.  In  particular,  we  introduce  a 
specific  parameter-independent  IABC  algorithm,  named  Middle  Algorithm.  We  derive  a  necessary 
condition  on  the  underlying  communication  graph  under  which  the  Middle  algorithm  can  tolerate 
up  to  /  Byzantine  faults.  For  graphs  that  satisfy  this  necessary  condition,  we  show  the  correctness 
of  Middle  Algorithm,  proving  that  our  necessary  condition  is  tight. 

For  a  more  thorough  discussion  on  related  work,  please  refer  to  our  previous  work  [3]. 


2  System  Model 

Communication  model:  The  system  is  assumed  to  be  synchronous.  The  communication  network  is 
modeled  as  a  simple  directed  graph  G^V ,  £),  where  °V  =  {1, . . . ,  n}  is  the  set  of  n  nodes,  and  £  is  the 
set  of  directed  edges  between  the  nodes  in  <V.  With  a  slight  abuse  of  terminology,  we  will  use  the 
terms  edge  and  link  interchangeably.  We  assume  that  n  >  2,  since  the  consensus  problem  for  n  =  1 
is  trivial.  Node  i  can  reliably  transmit  messages  to  node  j  if  and  only  if  the  directed  edge  (/,  j)  is  in 
£.  Each  node  can  send  messages  to  itself  as  well,  however,  for  convenience,  we  exclude  self-loops 
from  set  £.  That  is,  (z,  i)  £  £  for  i  e  rV. 

For  each  node  i,  let  Nr  be  the  set  of  nodes  from  which  i  has  incoming  edges.  That  is. 
Nr  =  {  /  |  ( j,i )  €  £}.  Similarly,  define  Nt  as  the  set  of  nodes  to  which  node  i  has  outgoing 
edges.  That  is,  N+  =  {  /  (/,  j)  6  £ }.  Nodes  in  Nr  and  N+  are,  respectively,  said  to  be  incoming  and 
outgoing  neighbors  of  node  i.  Since  we  exclude  self-loops  from  £,  i  £  Nr  and  i  Nt.  However, 
we  note  again  that  each  node  can  indeed  send  messages  to  itself. 

Failure  Model:  We  consider  the  Byzantine  failure  model,  with  up  to  /  nodes  becoming  faulty. 
A  faulty  node  may  misbehave  arbitrarily.  Possible  misbehavior  includes  sending  incorrect  and 
mismatching  (or  inconsistent)  messages  to  different  neighbors.  The  faulty  nodes  may  potentially 
collaborate  with  each  other.  Moreover,  the  faulty  nodes  are  assumed  to  have  a  complete  knowledge 
of  the  execution  of  the  algorithm,  including  the  states  of  all  the  nodes,  contents  of  messages  the 
other  nodes  send  to  each  other,  the  algorithm  specification,  and  the  network  topology. 

1See  Section  6  for  a  variation  on  the  validity  condition. 
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3  Middle  Algorithm 


The  Middle  algorithm  is  an  iterative  approximate  Byzantine  consensus  (IABC)  algorithm,  and  its 
structure  is  similar  to  other  algorithms  studied  in  prior  work  [1,  2,  3].  Each  node  i  maintains  state 
Vi,  with  Vj[t]  denoting  the  state  of  node  i  at  the  end  of  the  f-th  iteration  of  the  algorithm  (t  >  0). 
Initial  state  of  node  i,  U;[0],  is  equal  to  the  initial  input  provided  to  node  i.  At  the  start  of  the  f-th 
iteration  (f  >  0),  the  state  of  node  i  is  Vi[t  - 1].  The  Middle  algorithm  requires  each  node  i  to  perform 
the  following  three  steps  in  iteration  t,  where  t  >  0.  Note  that  the  faulty  nodes  may  deviate  from 
this  specification. 

Middle  Algorithm 


1.  Transmit  step:  Transmit  current  state  vft  -  1]  on  all  outgoing  edges. 

2.  Receive  step:  Receive  values  on  all  incoming  edges.  These  values  form  vector  r,[f]  of  size  \N~\. 

When  a  fault-free  node  expects  to  receive  a  message  from  a  neighbor  but  does  not  receive 
the  message,  the  message  value  is  assumed  to  be  equal  to  some  default  value. 

3.  Update  step: 

•  Sort  the  values  in  r,[f]  in  an  increasing  order  with  ties  being  broken  arbitrarily,  and 
use  the  sorted  order  of  values  to  form  a  partition  of  nodes  in  Nr  into  sets  B,  M,  T  as 
follows:  (i)  set  B  contains  nodes  from  whom  the  smallest  |_|N7|/3J  values  in  the  sorted 
r,[f]  are  received,  (ii)  set  T  contains  nodes  from  whom  the  largest  L|Nr|/3J  values  in  the 
sorted  r,[f]  are  received,  and  (iii)  set  M  contains  the  remaining  nodes  from  whom  the 
values  in  the  "middle"  of  sorted  r,[f]  are  received.  That  is,  M  =  N~  -  B  -  T.  2  Thus, 
|M|  =  |N7|-2L|N7|/3J. 

•  Let  zvj  denote  the  value  received  from  node  j  £  M.  For  convenience,  define  Wj  =  Vj  [t~  1] 
to  be  the  value  node  i  "receives"  from  itself.  Observe  that  if  j  £  {/}  UM  is  fault-free,  then 

IV j  =  Vj[t  -  1], 

•  Define 


Vi[t]  =  Yj 

je[i}UM 


Ui  ZVj 


(1) 


where 


A;  — 

The  "weight"  of  each  term  on 


1  1 

iMf+l  “  |N7|-2L|N7|/3J  +  1 

the  right-hand  side  of  (1)  is  au  and  these  weights  add  to 


1.  Also,  0  <  aj  <  1. 

For  future  reference,  let  us  define  a  as: 


a  =  min  a, 

ie'V 


(2) 


We  now  define  U[t]  and  p\t],  assuming  that  'F  is  the  set  of  Byzantine  faulty  nodes,  with  the 
nodes  in  *V  —  F  being  fault-free. 

2For  sets  X  and  Y,  X  —  Y  contains  elements  that  are  in  X  but  not  in  Y.  That  is,  X  —  Y  =  {/ 1  i  e  X,  i  £  Y). 
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•  LT[f]  =  max(£Y_f  Vj[t].  U[t]  is  the  largest  state  among  the  fault-free  nodes  at  the  end  of  the 
f-th  iteration.  Since  the  initial  state  of  each  node  is  equal  to  its  input,  L/fO]  is  equal  to  the 
maximum  value  of  the  initial  input  at  the  fault-free  nodes. 

•  p[t]  =  min igy-f  Vj[t].  p[t]  is  the  smallest  state  among  the  fault-free  nodes  at  the  end  of  the 
f-th  iteration,  p  [0]  is  equal  to  the  minimum  value  of  the  initial  input  at  the  fault-free  nodes. 

The  Middle  algorithm  is  correct  if  it  satisfies  the  following  conditions  in  the  presence  of  up  to  / 
Byzantine  faulty  nodes: 

•  Validity:  Vf  >  0,  p[t]  >  p[t  -  1]  and  U[t]  <  U[t  -  1] 

•  Convergence:  lim^oo  !i[f]  -  p[t]  =  0 

The  objective  in  this  paper  is  to  identify  the  necessary  and  sufficient  conditions  for  Middle  algo¬ 
rithm  to  satisfy  the  above  validity  and  convergence  conditions  for  a  given  CFV,  <S). 


4  Necessary  Condition 

For  the  Middle  algorithm  to  be  correct,  the  network  graph  CFV,  <S)  must  satisfy  the  necessary 
condition  proved  in  this  section.  We  first  define  relations  =>  and  =»  that  are  used  frequently  in  our 
discussion. 


Definition  1  For  non-empty  disjoint  sets  of  nodes  A  and  B, 

•  A  =>  B  iff  there  exists  a  node  v  €  B  such  that 

\N~nA\  ^  l 
IN"  |  >  3 


(3) 


•  A  =£>  B  iff  A  =>  B  is  not  true. 


Theorem  1  Suppose  that  Middle  Algorithm  is  correct  in  graph  G(rV,  <S)  in  the  presence  of  up  to  f  Byzantine 
faults.  Then,  both  the  following  conditions  must  be  true: 

•  For  every  node  v  e  *V ,  \Nf\  >  3/. 

•  Let  sets  F,L,C,Rform  a  partition 3  of  A7,  such  that  L  and  R  are  both  non-empty,  and  |F|  <  f.  Then, 
either  C  U  R  =>  L,  or  L  U  C  =>  R. 


Proof: 

3Sets  X\,  X2,  X3, ...,  Xp  are  said  to  form  a  partition  of  set  X  provided  that  (i)  Lh^pX;  =  X,  and  (ii)  X,-  fl  Xj  =  ®  if  i  i=-  j. 


4 


Proof  of  first  condition:  The  first  condition  is  trivially  true  when  /  =  0.  Thus,  let  us  now  assume 
that  f  >  1.  Suppose  by  way  of  contradiction  that  there  exists  a  node  i  such  that  |Nr|  <  3/.  Consider 
two  cases  in  iteration  1: 

•  | Air  |  =  0:  Suppose  that  node  i  has  initial  input  of  X,  and  all  the  remaining  nodes  have  input 
v,  where  x  <  X.  Since  node  i  has  no  incoming  edges,  clearly,  Vj[  1]  =  X. 

Consider  two  cases: 

-  There  exists  a  node  j  t  i  such  that  (/,  /)  €  £,  and  the  in-degree  of  node  j  is  such  that  the 
value  X  is  not  eliminated  in  the  Update  step,  i.e.,  | Nj \  <  2:  In  this  case,  Vj[  1]  >  x  since 
X  >  x.  However,  in  the  event  that  node  i  is  actually  faulty,  Vj[  1]  will  not  satisfy  the 
validity  condition,  since  the  initial  inputs  at  all  the  fault-free  nodes  are  all  x  (if  node  i 
were  to  be  faulty). 

-  For  each  node  j  +  i,  either  (/,  j)  £  £,  or  (/,  j)  6  £  but  the  value  received  from  node  i  is 
dropped  at  node  j  during  the  Update  step:  In  this  case,  all  the  values  that  affect  the  new 
state  of  node  j  are  x,  and  vj[  1]  =  x.  It  is  easy  to  see  that  the  same  scenario  will  repeat 
in  each  iteration,  violating  convergence  condition  when  all  the  nodes  (including  i)  are 
fault-free  ( Vi  remains  at  X,  and  for  each  node  j  t  i,  Vj  remains  at  x). 

•  | Air  |  >  1:  Assume  that  min(f,  |  Air  | )  incoming  neighbors  of  node  i  are  faulty,  and  that  all  the 
remaining  nodes  are  fault-free.  Let  F  denote  the  set  of  faulty  nodes.  Note  that  |F|  >  1. 

Let  R  =  *V  -  {i}  -  F.  Consider  the  case  when  (i)  each  node  in  R  has  input  x,  and  (ii)  node  i 
has  input  X  >  x.  In  the  Transmit  step  of  iteration  1,  suppose  that  the  faulty  nodes  in  F  send 
a  sufficiently  large  value  Y  (elaborated  below)  on  outgoing  links  to  node  z,  and  send  value  x 
on  outgoing  links  to  nodes  in  R.  This  behavior  is  possible  since  nodes  in  F  are  faulty.  Each 
fault-free  node  k  e'V  -F  sends  c>/c[0]  (its  input)  on  all  its  outgoing  links. 

Since  \N~\  <  3/,  set  M  at  node  i  in  iteration  1  contains  at  least  one  value  received  from  a 
faulty  incoming  neighbor.  Then  it  is  easy  to  see  that  the  faulty  nodes  can  choose  Y  such  that 
zz,-[l]  >  X.  Since  i  is  fault-free,  and  u,[l]  exceeds  the  initial  input  at  all  the  fault-free  nodes, 
the  validity  condition  is  violated. 

In  all  cases  above,  either  validity  or  convergence  is  violated,  contradicting  the  assumption  that  the 
Middle  algorithm  is  correct  in  the  given  graph. 

Proof  of  second  condition:  Since  the  first  condition  is  already  proved  to  be  necessary,  we  assume 
that  the  graph  satisfies  that  condition.  The  proof  for  the  second  condition  is  also  by  contradiction. 
Suppose  that  the  second  condition  is  violated,  i.e.,  in  G,  there  exists  some  partition  F,L,C,R  such 

|Nrn(CuR)|  i  |N7n(LuC)|  . 

that  |C  U  R\  =£>  L  and  |L  U  C|  =£>  R.  Thus,  for  any  i  £  L,  '  |N_| —  <  and  for  any  j  £  R,  ’  |N_| —  < 

Also  assume  that  the  nodes  in  F  (if  non-empty)  are  all  faulty,  and  the  nodes  in  L,  R,  C  are  all 
fault-free.  Note  that  the  fault-free  nodes  are  not  aware  of  the  true  identity  of  the  faulty  nodes. 

Consider  the  case  when  (i)  each  node  in  L  has  initial  input  x,  (ii)  each  node  in  R  has  initial  input 
X,  such  that  X  >  x,  and  (iii)  each  node  in  C  (if  non-empty)  has  an  input  in  the  interval  (x,  X). 

In  the  Transmit  step  of  iteration  1,  suppose  that  each  faulty  node  in  F  (if  non-empty)  sends  x~  <  x 
on  outgoing  links  to  nodes  in  L,  sends  X+  >  X  on  outgoing  links  to  nodes  in  R,  and  sends  some 
arbitrary  value  in  interval  [x,  X]  on  outgoing  links  to  nodes  in  C  (if  non-empty).  This  behavior  is 
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possible  since  nodes  in  F  are  faulty.  Note  that  x  <  x  <  X  <  X+.  Each  fault-free  node  k  €  'V  —  F 
sends  uJO]  to  nodes  in  Nf  in  iteration  1. 

Consider  a  node  i  £  L.  In  iteration  1,  node  i  receives  x_  from  the  nodes  in  Nr  n  F,  x  from  the 
nodes  in  {/}  U  (Nr  n  L),  and  values  in  (x,  X]  from  the  nodes  in  Nr  n(CUR).  Then  in  the  Update  step, 
|B|  >  /  >  |F|  due  to  the  first  condition,  i.e.,  |Nr|  >  3/.  Furthermore,  set  T  (calculated  in  the  Update 

step  at  node  i)  contains  all  the  values  from  Nr  n  (C  U  R),  since  |C  U  R\  =e>  L,  i.e.,  and 

the  values  received  from  the  nodes  in  C  U  R  are  the  largest  values  in  vector  r,[l  ].  Recall  that  in  the 
Update  step,  node  i  would  eliminate  sets  B  and  T,  and  the  remaining  values,  i.e.,  values  in  {/’}  U  M, 
are  all  x,  and  therefore,  u,[  1]  will  be  set  to  x  as  per  (1). 

Thus,  Vi[  1]  =  x  for  each  node  i  £  L.  Similarly,  we  can  show  that  Vj[  1]  =  X  for  each  node  j  £  R. 
Now  consider  the  nodes  in  set  C  (if  non-empty).  The  initial  state  of  nodes  in  C  is  in  (x,  X),  and 
all  the  values  received  from  the  neighbors  are  in  [x,  X],  therefore,  their  new  state  of  the  nodes  in 
C  will  remain  in  (x,  X)  when  using  the  Middle  algorithm  (since  the  node's  own  state  is  assigned  a 
non-zero  weight  in  (1)). 

The  above  discussion  implies  that,  at  the  end  of  iteration  1,  the  following  conditions  hold  true: 
(i)  state  of  each  node  in  L  is  x,  (ii)  state  of  each  node  in  R  is  X,  and  (iii)  state  of  each  node  in  C  is  in 
the  interval  (x,  X).  These  conditions  are  identical  to  the  initial  conditions  listed  previously.  Then, 
by  a  repeated  application  of  the  above  argument  (proof  by  induction),  it  follows  that  for  any  t  >  0, 
Vj[t]  =  x  for  all  i  £  L,  Vj[t]  =  X  for  all  /  £  R  and  zy[f]  £  (x,  X)  for  all  k  £  C. 

Since  L  and  R  both  contain  fault-free  nodes,  the  convergence  requirement  is  not  satisfied.  This 
is  a  contradiction  to  the  assumption  that  a  correct  iterative  algorithm  exists. 

□ 


5  Sufficient  Condition 

In  Theorems  2  and  3  in  this  section,  we  prove  that  Middle  Algorithm  satisfies  validity  and  conver¬ 
gence  conditions,  respectively,  provided  that  G(fV,&)  satisfies  the  condition  below,  which  matches 
the  necessary  condition  stated  in  Theorem  1. 

Sufficient  condition: 

•  For  every  node  v  £  *V ,  \N~  \  >  3/,  and 

•  Fet  sets  F,  L,  C,  R  form  a  partition  of  *V,  such  that  L  and  R  are  both  non-empty,  and  |F|  <  /. 
Then,  either  C  U  R  =>  L,  or  L  U  C  =>  R. 

The  claim  below  follows  immediately  from  the  second  condition  above  by  setting  C  =  O. 

Claim  1  Suppose  that  Gi'V,  £)  satisfies  the  Sufficient  condition  stated  above.  Let  {F,  L,  R}  be  a  partition  of 
rV,  such  that  L  and  R  are  both  non-empty  and  |F|  <  /.  Then,  either  L  =>  R  or  R  =>  L. 

Theorem  2  Suppose  that  T  is  the  set  of  Byzantine  faulty  nodes,  and  that  G('V,£)  satisfies  the  sufficient 
condition  stated  above.  Then  Middle  Algorithm  satisfies  the  validity  condition. 
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Proof:  Consider  the  f-th  iteration,  and  any  fault-free  node  i  €  *V  -  T ■  Consider  two  cases: 


•  /  =  0:  In  this  case,  all  nodes  must  be  fault-free,  and  =  O.  In  (1)  in  Middle  Algorithm, 

note  that  Vj[t]  is  computed  using  states  from  the  previous  iteration  at  node  i  and  other  nodes. 
By  definition  of  p[t  -  1]  and  U[t  -  1],  Vj[t  -  1]  £  [p[t  -  1],  U[t  -  1]]  for  all  fault-free  nodes 
j  €  *V  -  —  'V .  Thus,  in  this  case,  all  the  values  used  in  computing  Vi[t]  are  in  the  interval 

[p[t  -  1],  U[t  -  1]].  Since  <y[f]  is  computed  as  a  weighted  average  of  these  values,  vft]  is  also 
within  [p[t  -  1],  U[t  -  1]]. 

•  /  >  0:  Since  \N~\  >  3/,  |r,[f]|  >  3/.  Thus  set  T  in  the  Update  step  contains  at  least  the  largest 
/  values  from  rj[f],  and  set  B  contains  at  least  the  smallest  /  values  from  r,[t].  Since  at  most 
/  nodes  are  faulty,  it  follows  that,  either  (i)  the  values  received  from  the  faulty  nodes  are 
all  eliminated,  or  (ii)  the  values  from  the  faulty  nodes  that  still  remain  are  between  values 
received  from  two  fault-free  nodes.  Thus,  the  remaining  values  in  r,[f]  -  that  is,  values 
received  from  nodes  in  set  M  -  are  all  in  the  interval  [p[t  -  1],  U[t  -  1]].  Also,  vt[t  -  1]  is 
in  [p[t  -  1],  U[t  -  1]],  as  per  the  definition  of  p[t  -  1]  and  U[t  -  1],  Thus  Vi[t]  is  computed 
as  a  weighted  average  of  values  in  [p[t  -  l],U[t  -  1]],  and,  therefore,  it  will  also  be  in 
[p[t-l],U[t-l]]. 

Since  Vi  e  *V  -  T ,  Vj[t ]  €  [p[t  -  \\,  U[t  -  1]],  the  validity  condition  is  satisfied.  □ 


Definition  2  For  disjoint  sets  A,B,  in(A  =>  B)  denotes  the  set  of  all  the  nodes  in  B  that  have  at  least  1/3 
of  the  incoming  edges  from  nodes  in  A.  More  formally, 


in(A  =>  B)  =  <  v  |  v  €  B  and 


\N~nA\ 

\N~\ 


> 


With  an  abuse  of  notation,  when  A  =t>  B,  define  in(A  =>  B)  =  O. 


Definition  3  For  non-empty  disjoint  sets  A  and  B,  set  A  is  said  to  propagate  to  set  B  in  l  steps,  where 
l  >  0,  if  there  exist  sequences  of  sets  Ao,  A\,  A2,  ■  ■  ■  ,Ai  and  B  0,  B\,  B2,  ■  ■  ■  ,Bi  (propagating  sequences)  such 
that 


•  Ao  =  A,  Bo  =  B,  Aj  =  AU  B,  B\  =  O,  BT  V  O  for  t  <  l,  and 

•  for  0  <  t  <  l  -  1, 

-  At  =>  Bt, 

-  At+ 1  =  At  U  in(AT  =^>  Bt),  and 

~  Ht+i  =  —  in(AT  =$  Bt) 

Observe  that  Ar  and  BT  form  a  partition  of  A  U  B,  and  for  t  <1,  in(AT  =>  Br)  V  O.  Also,  when  set  A 
propagates  to  set  B,  the  number  of  steps  l  in  the  above  definition  is  upper  bounded  by  n  -  1. 


Lemma  1  Assume  that  GCV,&)  satisfies  the  sufficient  condition  stated  above.  For  any  partition  A,B,F 
of  A7,  where  A,  B  are  both  non-empty,  and  |F|  <  /,  either  A  propagates  to  B,  or  B  propagates  to  A. 
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The  proof  of  Lemma  1  is  similar  to  the  proof  in  our  prior  work  [3]  -  the  proof  is  included  in 
Appendix  A. 

The  lemma  below  states  that  the  interval  to  which  the  states  at  all  the  fault-free  nodes  are 
confined  shrinks  after  a  finite  number  of  iterations  of  Middle  Algorithm.  Recall  that  U[t]  and  u\t] 
(defined  in  Section  3)  are  the  maximum  and  minimum  over  the  states  at  the  fault-free  nodes  at  the 
end  of  the  f-th  iteration. 

Lemma  2  Suppose  that  G(fV,  £)  satisfies  the  sufficient  condition  stated  above,  and  T  is  the  set  of  Byzantine 
faulty  nodes.  Moreover,  at  the  end  of  the  s-th  iteration  of  Middle  Algorithm,  suppose  that  the  fault-free  nodes 
in  rV  -  T  can  be  partitioned  into  non-empty  sets  R  and  L  such  that  (i)  R  propagates  to  L  in  l  steps,  and  (ii) 
the  states  of  nodes  in  R  are  confined  to  an  interval  of  length  <  jpmi  wjfp  ipe  Middle  algorithm, 

U[s  +  l ]  -  p[s  +  !]<(:  1  -  y)  (! U[s ]  -  p[s])  (4) 

where  a  is  as  defined  in  (2). 

The  proof  of  the  above  lemma  is  presented  in  Appendix  B. 

Theorem  3  Suppose  that  T  is  the  set  of  Byzantine  faulty  nodes,  and  that  G(fV,&)  satisfies  the  sufficient 
condition  stated  above.  Then  the  Middle  algorithm  satisfies  the  convergence  condition. 

Proof:  Our  goal  is  to  prove  that,  given  any  e  >  0,  there  exists  t  such  that 

U[t]  -  p[t]  <  e  Vf  >  t  (5) 

Consider  s-th  iteration,  for  some  s  >  0.  If  li[s]  -  p[s]  =  0,  then  the  algorithm  has  already 
converged,  and  the  proof  is  complete,  with  t  =  s  (recall  that  we  have  already  proved  that  the 
algorithm  satisfies  the  validity  condition). 

Now,  consider  the  case  when  li[s]  -  p[s]  >  0.  Partition  *V  -  T  into  two  subsets,  A  and  B,  such 
that,  for  each  node  i  £  A,  U/[s]  £  [p[s],  ancj  for  each  node  j  €  B,  u;[s]  £  gy 

definition  of  p[s]  and  L/[s],  there  exist  fault-free  nodes  i  and  j  such  that  t>;[s]  =  p[s]  and  U/[s]  =  L/[s] . 
Thus,  sets  A  and  B  are  both  non-empty.  By  Lemma  1,  one  of  the  following  two  conditions  must  be 
true: 

•  Set  A  propagates  to  set  B.  Then,  define  L  =  B  and  R  =  A.  The  states  of  all  the  nodes  in  R  =  A 
are  confined  within  an  interval  of  length  strictly  less  than 

•  Set  B  propagates  to  set  A.  Then,  define  L  =  A  and  R  =  B.  In  this  case,  states  of  all  the  nodes  in 

R  =  B  are  confined  within  an  interval  of  length  less  than  or  equal  to  L/[s]  -  ^  tfjd_j4d 

In  both  cases  above,  we  have  found  non-empty  sets  L  and  R  such  that  (i)  L,R  is  a  partition  of 
-  T,  (ii)  R  propagates  to  L,  and  (iii)  the  states  in  R  are  confined  to  an  interval  of  length  less  than 
or  equal  to  Suppose  that  R  propagates  to  L  in  l(s )  steps,  where  Z(s)  >  1.  Then  by  Lemma  2, 

U[s  +  l(s)]  -  p[s  +  l(s)]  <  (l  -  °fpj  (U[ s]  -  pis])  (6) 


8 


In  the  Middle  algorithm,  observe  that  a,  >  0  for  all  i.  Therefore,  a  defined  in  (2)  is  >  0.  Then, 
n  —  1  >  l(s)  >  1  and  0  <  a  <  1;  hence,  0  <  (l  -  j  <  1. 

Let  us  define  the  following  sequence  of  iteration  indices: 

•  T0  =  0, 

•  for  i  >  0,  t i  =  t/_i  +  Z(t;-i),  where  Z(s)  for  any  given  s  was  defined  above. 

If  for  some  i,  L/[t(]  -  p[T;]  =  0,  then  since  the  algorithm  is  already  proved  to  satisfy  the  validity 
condition,  we  will  have  U[t]  -  y[t]  =  0  for  all  t  >  z /,  and  the  proof  of  convergence  is  complete. 

Now,  suppose  that  U[t; ]  -  y[zi\  +  0  for  the  values  of  i  in  the  analysis  below.  By  repeated 
application  of  the  argument  leading  to  (6),  we  can  prove  that,  for  i  >  0, 


u[zi]  -  nM  <  (n;=1  (i  -  (u[ o]  -  p[ o]) 

For  a  given  e,  by  choosing  a  large  enough  z,  we  can  obtain 

(n;=1|i-^^JJ  (U[ o]-nio])<e 

and,  therefore. 


U[zi\  -  y[z i]  <  e 

For  t  >  t i,  by  validity  of  the  Middle  algorithm,  it  follows  that 

U[t]  -  f.i[t]  <  U[Tj]  -  fz[x,]  <  e 

This  concludes  the  proof. 


(7) 


(8) 


□ 


6  Discussion 

The  results  in  this  report  can  be  easily  extended  to  the  following  version  of  the  validity  condition: 
•  Validity:  Vf,  y[t]  >  p[0]  and  !i[f]  <  !i[0] 

This  validity  condition  is  weaker  than  the  condition  satisfied  by  the  Middle  algorithm,  therefore, 
the  algorithm  satisfies  this  validity  condition  as  well.  Also,  it  should  be  easy  to  see  that  our 
necessary  condition  also  holds  under  the  above  validity  condition  (the  proof  remains  essentially 
unchanged). 

In  our  analysis  here,  we  assumed  that  the  system  is  synchronous,  and  messages  sent  in  each 
iteration  are  delivered  in  the  same  iteration.  That  is,  the  state  update  in  the  f-th  iteration  uses 
neighbors'  states  at  the  end  of  the  ( t  -  l)-th  iteration.  The  results  in  this  paper  can  be  extended  to 
the  case  when  messages  may  be  delayed  such  that  the  latest  state  available  from  a  neighbor  may 
be  from  iteration  ( t  -  B),  for  some  finite  B  >  0.  In  this  case,  our  original  validity  condition  will  need 
to  be  modified  to  require  that  the  state  of  the  fault-free  nodes  at  the  end  of  any  iteration  remains 
in  the  convex  hull  of  the  fault-free  nodes  B  iterations  ago. 
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We  now  state  a  result  without  proof.  Further  details  will  be  presented  elsewhere.  Consider 
an  Erdos-Renyi  random  graphs  GnipCV,S),  where  'V  contains  n  vertices,  and  edge  (i,  j)  e  £  with 
probability  p  independently  for  each  (i,  j).  For  large  n,  this  random  graph  satisfies  the  condition  in 
Theorem  1  with  high  probability  if  and  only  if  p  =  Q (t)  where  t  is  a  threshold  dependent  on  n  and 
/. 

7  Summary 

This  paper  introduces  a  parameter-independent  iterative  algorithm,  the  Middle  algorithm,  that 
solves  the  approximate  Byzantine  consensus  problem.  The  Middle  algorithm  does  not  explicitly 
use  the  global  parameter  of  the  graph,  i.e.,  the  upper-bound  on  the  number  of  faults,  /.  We  prove 
tight  necessary  and  sufficient  conditions  for  the  correctness  of  the  Middle  algorithm  that  tolerates 
up  to  /  Byzantine  faults  in  directed  graphs. 
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A  Proof  of  Lemma  1 

To  prove  Lemma  1,  we  first  prove  the  following  Lemma. 

Lemma  3  Assume  that  CRV,  £)  satisfies  the  Sufficient  condition.  Consider  a  partition  A,  B,  F  of  A7  such 
that  A  and  B  are  non-empty,  and  |F|  <  /.  IfB  =e>  A,  then  set  A  propagates  to  set  B. 

Proof:  Since  B  =£>  A,  by  Claim  1,  A  =>  B. 

Define  Aq  =  A  and  Bq  =  B.  Now,  for  a  suitable  l  >  0,  we  will  build  propagating  sequences 
Aq,A\,  ■  ■  ■  A\  and  Bq,  B\,  ■■■Bi  inductively. 

•  Recall  that  A  =  Aq  and  B  =  Bq  ^  <F>.  Since  A  =>  B,  ui{Aq  =>  Bq)  ±  O.  Define  A\  =  Aq  U  ui{Aq  => 
Bq)  and  Bj  =  Bo  -  in(Ao  =>  Bq). 

If  B\  =  O,  then  l  =  1,  and  we  have  found  the  propagating  sequence  already. 

If  Bj  ±  O,  then  define  L  =  A  =  Aq,  R  =  Bj  and  C  =  A\  -  A  =  B  -  B\.  Note  that  B  -  R  U  C, 
A\  =  L  U  C,  and  L,  C,  R,  F  form  a  partition  of  the  set  of  nodes.  Since  B  =£>  A,  R  U  C  =#  L. 
Therefore,  by  the  Sufficient  condition,  LU  C  =>  R.  That  is,  A\  =>  B\. 
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•  For  increasing  values  of  i  >  0,  given  A,  and  B„  where  B,  ±  O,  by  following  steps  similar  to 
the  previous  item,  we  can  obtain  A,+  i  =  Aq  U  zn(A,  =^>  B,)  and  B!+i  =  B,  -  in(Ai  =>  B/),  such 
that  either  B,-+i  =  O  or  A,+  i  =>  B,+ 

In  the  above  construction,  l  is  the  smallest  index  such  that  B/  =  O.  □ 

Proof  of  Lemma  1 
Proof:  Consider  two  cases: 

•  A  B:  Then  by  Lemma  3  above,  B  propagates  to  A,  completing  the  proof. 

•  A  =>  B:  In  this  case,  consider  two  sub-cases: 

-  A  propagates  to  B:  The  proof  in  this  case  is  complete. 

-  A  does  not  propagate  to  B:  Recall  that  A  =>  B.  Since  A  does  not  propagate  to  B,  propagating 
sequences  defined  in  Definition  3  do  not  exist  in  this  case.  More  precisely,  there  must 
exists  >  0,  and  sets  Ao,Ai,  ■  ■  ■  ,Ai-  and  Bo,B\,-  ■  ■  ,Bjt,  such  that: 

*  Ao  =  A  and  Bo  =  B,  and 

*  for  0  <  i  <  k  -  1, 

o  Ai  =>  B„ 

o  Aj+ 1  =  Ai  U  in(Ai  =>  B;),  and 
o  B;-+ 1  =  Bj  -  in(Ai  =>  B,). 

*  B^  ^  O  and  A ^  B jc. 

The  last  condition  above  violates  the  requirements  for  A  to  propagate  to  B. 

Now,  Aj{  y  O,  Bj.  y  O,  and  A;c,  B/.,  F  form  a  partition  of  <V.  Since  =»  B/c,  by  Lemma  3 
above,  B/c  propagates  to  A/c. 

Given  that  Bk  Q  Bq  =  B,  A  =  Ao  c  Aj.,  and  B ^  propagates  to  A^,  now  we  prove  that  B 
propagates  to  A. 

Recall  that  A;  and  B;  form  a  partition  of  -  F. 

Let  us  define  P  =  Pq  =  B^  and  Q  =  Qo  =  A*..  Thus,  P  propagates  to  Q.  Suppose  that 
Po/ Pi/  ■■■Pm  and  Qo,  Qi,  •  •  •  ,  Qm  are  the  propagating  sequences  in  this  case,  with  Pj  and 
Qi  forming  a  partition  of  P  U  Q  =  A*.  U  B^  =  'V  -  F. 

Let  us  define  R  =  Ro  =  B  and  S  =  So  =  A.  Note  that  R,  S  form  a  partition  of  AUB  =<V-F. 
Now,  Po  =  Bk  c  B  =  Ro  and  So  =  A  c  Aj.  =  Qo.  Also,  Ro  -  Po  and  So  form  a  partition  of 
Qo- 

*  Define  Pi  =  P0  U  (m(P0  =>  Q0)),  and  Qj  =  A7  -  F  -  Pi  =  Q0  -  (m(P0  =^>  Qo)).  Also, 
Ri  =  R0  U  (m(R0  =>  S0)),  and  Si  =  A7  -  P  -  Ri  =  S0  -  (fn(R0  =>  S0)). 

Since  Ro  -  Po  and  So  are  a  partition  of  Qo,  the  nodes  in  in(Po  =>  Qo)  belong  to  one 
of  these  two  sets.  Note  that  Ro  -  Po  £  Ro-  Also,  So  n  m(Po  =>  Qo)  L  N(Ro  =>  So). 
Therefore,  it  follows  that  Pi  =  Po  U  (m(Po  =>  Qo))  C  Ro  U  (m(Ro  =>  So))  =  Ri- 
Thus,  we  have  shown  that.  Pi  cRi.  Then  it  follows  that  Si  c  Qi. 


11 


*  For  0  <  i  <  m,  let  us  define  R/+i  =  Rj  U  m(R,  =>  Sf  and  S,+i  =  Sj  -  in(Rj  =>  Si). 
Then  following  an  argument  similar  to  the  above  case,  we  can  inductively  show 
that,  Pj  C  Rj  and  S;  C  Q;.  Due  to  the  assumption  on  the  length  of  the  propagating 
sequence  above,  Pm  =  P  U  Q  =  T  -  F  and  Qm  =  O.  Thus,  there  must  exist  r  <  m, 
such  that  for  i  <  r,  Ri  +  *V  -  F,  and  R,-  =  *V  -  F  and  S,-  =  O. 

The  sequences  Ro,  Ri,  •  •  •  ,  Rr  and  So,  Si,  •  •  •  ,  Sr  form  propagating  sequences,  proving 
that  R  =  B  propagates  to  S  =  A. 


□ 


B  Proof  of  Lemma  2 

We  first  present  two  additional  lemmas  (using  the  notation  in  Middle  Algorithm). 

Lemma  4  Suppose  that  T  is  the  set  of  faulty  nodes,  and  that  GfV,  £>)  satisfies  the  "sufficient  condition" 
stated  in  Section  5.  Consider  node  i  €*V  -  T .  Let  ip  <  p[t  -  1].  Then,  for  j  £  {/}  U  M, 

Vi[t ]  -  ip  >  a i  (zvj  -  f) 

where  zvj  is  the  value  received  by  node  ifrom  node  j  in  the  t-th  iteration.  Specifically,  for  fault- free  j  e  {/}  UM, 

Vi[t]  -  ip  >  at  ( vft  -  1]  -  f) 

Proof:  In  (1)  in  Middle  Algorithm,  for  each  j  £  {/}  U  M,  consider  two  cases: 

•  j  is  faulty-free:  Then,  either  j  =  i  or  j  e  M  n  ('V  -  T).  In  this  case,  zvj  =  vft  -  1],  Therefore, 
p[t  -  1]  <  zvj  <  U[t  -  1], 

•  j  is  faulty:  In  this  case,  /  must  be  non-zero  (otherwise,  all  nodes  are  fault-free).  By  Theorem 
1,  \Np\  >  3 /.  Then  it  follows  that,  in  step  2  of  the  Middle  algorithm,  |B|  >  /,  and  set  B  contains 
the  state  of  at  least  one  fault-free  node,  say  k.  This  implies  that  <:y[f  -  1]  <  zvj.  This,  in  turn, 
implies  that  p[t  -  1]  <  zvj. 

Thus,  for  all  j  £  {/}  U  M,  we  have  u\t  -  1]  <  zvj.  Therefore, 

zvj  -  ip  >  0  for  all  j  £  {/}  U  M  (9) 

Since  weights  in  (1)  in  Middle  Algorithm  add  to  1,  we  can  re-write  that  equation  as, 

Vi[t]  -  ip  =  ^  a,  (zvj  -  f)  (10) 

ye(z)UM 

>  a,  (zvj  -  f),  V/  £  {/}  U  M  from  (9) 

For  fault-free  j  £  {/}  U  M,  zvj  =  vft  -  1],  therefore, 

Vi[t]~lp  >  Uj  (vft  -  1]  -  ip)  (11) 

□ 
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Lemma  5  Suppose  that  T  is  the  set  of  faulty  nodes,  and  that  GfV,  <5)  satisfies  the  “ sufficient  condition " 
stated  in  Section  5.  Consider  fault-free  node  i  e*V  -  T .  Let  VP  >  U[t  -  1],  Then,  for  j  e  {/}  U  M, 

W  -  Vi[t]  >  ai  ('F  -  zv f 

where  zvj  is  the  value  received  by  node  ifrom  node  j  in  the  t-th  iteration.  Specifically,  for  fault- free  j  e  {/}  UM, 

vb  ~  Vi[t]  >  ai  (W  -  vft  -  1]) 


Proof:  The  proof  is  similar  to  Lemma  4  proof.  □ 

Proof  of  Lemma  2 


Proof:  Since  R  propagates  to  L,  as  per  Definition  3,  there  exist  sequences  of  sets  Ro,  R\,  ■  ■  ■  ,R/  and 
Lq,  Li,--  -  ,  Lj,  where 

•  Ro  =  R,  Lq  =  L,  Rj  -  R  U  L,  Li  =  O,  for  0  <  t  <  /,  LT  ^  O,  and 

•  for  0  <  t  <  l  -  1, 


*  Rt  =>  LT/ 

*  Rj+i  =  Rr  U  in(RT  =>  Lt),  and 

*  Lt+ i  =  LT  —  in(RT  Lt) 


Let  us  define  the  following  bounds  on  the  states  of  the  nodes  in  R  at  the  end  of  the  s-th  iteration: 


X  =  maxje r  uy[s] 
x  =  mhijeR  uy[s] 


By  the  assumption  in  the  statement  of  Lemma  2, 


X  -  x  < 


U[s]  -p[s] 
2 


(12) 

(13) 


(14) 


Also,  X  <  U[s]  and  x  >  f/[s].  Therefore,  li[s]  -  X  >  0  and  x  -  p[s]  >  0. 

The  remaining  proof  of  Lemma  2  relies  on  derivation  of  the  three  intermediate  claims  below. 


Claim  2  For  0  <  t  <  l,  for  each  node  i  €  Rz, 

u,[s  +  t]  -  p[s]  >  aT(x-p[s])  (15) 

Proof  of  Claim  2:  The  proof  is  by  induction. 

Induction  basis:  By  definition  of  x,  (15)  holds  true  for  t  =  0. 

Induction:  Assume  that  (15)  holds  true  for  some  t,  0  <  t  <  l.  Consider  R1  +  \ .  Observe  that  RT  and 
Rt+i  -  Rt  form  a  partition  of  R1+\;  let  us  consider  each  of  these  sets  separately. 
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•  Set  RT:  By  assumption,  for  each  i  e  RT,  (15)  holds  true.  By  validity  of  Middle  Algorithm 
(proved  in  Theorem  2),  p[s]  <  p[s  +  x].  Therefore,  setting  i/>  =  p[s]andf  =  s  +  t  +  1  in  Lemma  4, 
we  get, 

u,[s  +  t  +  1]  -  p[s]  >  flj  (u,[s  +  t]  -  /r[s]) 

>  flj  aT(x  -  p[s])  due  to  (15) 

>  aT+1(x  -  p[s])  due  to  (2) 

and  because  x  -  p[s]  >0 

•  SetRT+i-RT:  Consider  a  node  i  e  RT+ i~Rt.  By  definition  ofRT+i,  we  have  that/  6  m(RT  =>  LT). 
Thus, 

\NrnRT\  i 

IN"  |  >  3 

In  Middle  Algorithm,  values  in  sets  B  and  T  received  by  node  i  are  eliminated  before  t’;  [s+t  +  1  ] 
is  computed  at  the  end  of  (s  +  t  +  l)-th  iteration.  Consider  two  possibilities: 

-  Value  received  from  one  of  the  nodes  in  Nt  n  RT  is  not  eliminated.  Suppose  that  this 
value  is  received  from  fault-free  node  p  €  NT  n  RT.  Then,  p  €  M,  and  by  an  argument 
similar  to  the  previous  case,  we  can  set  i f>  =  p[s]  in  Lemma  4,  to  obtain, 

Vi[s  +  t  +  1]  -  p[s]  >  at  (vp[s  +  t]  -  p[s]) 

>  at  ar(x  -  p[s])  due  to  (15) 

>  aT+1(x  -  p[s])  due  to  (2) 
and  because  x  -  p[s]  >0 

-  Values  received  from  all  nodes  in  Nt  n RT  are  eliminated.  Thus,  (Nt  n RT)  c  TUB.  Recall 
that  \Nj  n  Rt|  >  |Nr|/3  >  |B|  =  |T|.  Thus,  T  and  B  both  must  contain  at  least  one  node 
from  Nt  n  RT.  Therefore,  the  values  that  are  not  eliminated  -  that  is,  values  received 
from  nodes  in  M  -  are  within  the  interval  to  which  the  values  received  from  the  nodes 
in  Nt  n  RT  belong.  Thus,  there  exists  a  node  k  (possibly  faulty)  in  M  from  whom  node 
i  receives  some  value  fiy  -  which  is  not  eliminated  -  and  a  fault-free  node  p  6  N~  n  RT 
such  that 


up[s  +  t]  <  iv  k  (16) 

Then  by  setting  i p  =  p[s]  and  /  =  s  +  t  +  1  in  Lemma  4,  we  have 

Vj[s  +  t  +  1]  -  p[s]  >  ai  (wk  -  p[s]) 

>  ai  (vp[s  +  t]  -  p[s])  by  (16) 

>  ajaT(x-p[s])  due  to  (15) 

>  aT+1(v-p[s])  due  to  (2) 
and  because  x  -  p[s]  >  0 
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Thus,  we  have  shown  that  for  all  nodes  in  Rx+i, 

u,[s  +  t  +  1]  -  p[s]  >  aT+1(x  -  p[s]) 

This  completes  the  proof  of  Claim  2. 

Claim  3  For  each  node  i  e  *V  -T , 

Vi[s  +  l ]  -  p[s]  >  a\x  -  p[s])  (17) 

Proof  of  Claim  3:  Note  that  by  definition,  R/  =  *V  -  Tr.  Then  the  proof  follows  by  setting  t  =  l  in  the 
above  Claim  2. 


Claim  4  For  each  node  i  e'V  -7', 

!i[s]  -  u,[s  +  /]  >  a'(U[s]  -  X) 

The  proof  of  Claim  4  is  similar  to  the  proof  of  Claim  3. 


Now  let  us  resume  the  proof  of  the  Lemma  2.  Thus, 

!i[s  +  /]  =  max  yds  +  /] 

ie'V-T 

<  U[s]  -  a\U[s]  -  X)  by  (18) 

and 

u[s  +  l]  =  min  yds  +  l] 

ie'V-T 

>  /r[s]  +  al(x  -  /r[s])  by  (17) 

Subtracting  (20)  from  (19), 

U[s  +  l]  -  p[s  +  /] 

<  U[s]  -  a?(li[s]  -  X)  -  p[s]  -  a\x  -  p[s]) 

=  (1  -  a;)(li[s]  -  p[s])  +  a?(X  -  x) 

<  (1  -  al)(U[s ]  -  fi[s])  +  a 1  -  —  by  (14) 

<  (l-y)(Lf[s]-p[s]) 

This  concludes  the  proof  of  Lemma  2. 


(18) 


(19) 


(20) 


□ 
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